Jump to content

No source IP address found, cannot proceed.


kino

Recommended Posts

Hi,

I know that Spamdeputy is not your department here but I am having some trouble getting any information from that side.

I have started reporting spam here but I often get the error above:

Ignored

No source IP address found, cannot proceed.

Add/edit your mailhost configuration

Finding full email headers

Submitting spam via email (may work better)

Example: What spam headers should look like

Nothing to do.

In fact only 1/15 seem to go through the parser ok when sent from Spamdeputy. Is this something I can resolve from here. I really need to use an automatic solution for this rather than copy+pasting into the forms.

On a side note, when a spam email is successfully parsed, do you then also have to click 'send report'? I am reporting as a mole and I was a little unclear about that.

Thanks for your advice

Link to comment
Share on other sites

OK second answer first...yes you do as that is what tell spamcop that you have checked the parse and confirmed it is correct. The address the reports go to should indicate that it is not being sent outside of spamcop.

Second question: You don't state which version of SpamDeputy you are using (Stand-alone of Outlook add-in) and I have no experience with either. If you use the search function of these forums searching all forums for "spamdeputy". I received 25 different threads you might want to scan.

If none of those threads answer your problem, post back here with a more detailed description of your setup (OS, software and versions) along with a tracking URL for one of the problem parses (maybe a good parse also for comparison) and we can try to look into it a bit deeper. If it does solve your problem, please post that here as well so we can mark the thread closed.

Link to comment
Share on other sites

I TOO just started having this problem.....just this morning, I have received at least 5 e-mails where the sender somehow figured out how to either REMOVE the header info or bypass the computer that adds the info. Check this out:

Microsoft Mail Internet Headers Version 2.0

Received: by my.local.server

id <x>; Wed, 25 May 2005 07:57:10 -0700

content-class: urn:content-classes:message

MIME-Version: 1.0

Content-Type: application/ms-tnef;

name="winmail.dat"

Content-Transfer-Encoding: binary

Subject: Well well wlel!

Date: Wed, 25 May 2005 07:57:10 -0700

X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0

Message-ID: <x>

X-MS-Has-Attach:

X-MS-TNEF-Correlator: <x>

Thread-Topic: Well well wlel!

Thread-Index: AcVgR0ecGHvZ/kMVSHyVhls6AKdSvw==

From: "Bauer Q. Game" <x>

To: "Robert Williams" <x>

I obviously removed all the information that pertained to my system, but from what it looks like, the user is working from a Windows 2003 Exchange Server.

Is this now possible with Windows 2003 Server?

Link to comment
Share on other sites

I TOO just started having this problem.....just this morning, I have received at least 5 e-mails where the sender somehow figured out how to either REMOVE the header info or bypass the computer that adds the info.  Check this out:

I obviously removed all the information that pertained to my system, but from what it looks like, the user is working from a Windows 2003 Exchange Server.

28531[/snapback]

Well, it is up to "my.local.server" to indicate where it got the message from. That MAY be the only header that can be trusted.

Link to comment
Share on other sites

Well, it is up to "my.local.server" to indicate where it got the message from. That MAY be the only header that can be trusted.

Ok, any clues as to where I would be able to find information on why my server would not report this information? This is the 1st time I've run into this.

Link to comment
Share on other sites

Ok, any clues as to where I would be able to find information on why my server would not report this information?  This is the 1st time I've run into this.

28536[/snapback]

Well, you do not indicate what platform your mail server is (Exchange?) which could affect my answer. A couple quick possibilities.

Have you performed any upgrades recently?

Does your server accept messages from other internal machines that are possibly infected or relaying themselves? (check the logs)

Link to comment
Share on other sites

Well, you do not indicate what platform your mail server is (Exchange?) which could affect my answer.  A couple quick possibilities.

Have you performed any upgrades recently?

Does your server accept messages from other internal machines that are possibly infected or relaying themselves? (check the logs)

28538[/snapback]

Sorry, yes, I am using Exchange 2000. And no, I haven't made any recent configuration changes to the Exchange server. Also, I still got some messages (before and after) that had the IP Addresses of the sending system.

As for the internal messages, I do know that whenever an internal message is received, there are 0b in the header. So, it's not probable that it came from inside.

I posted this question on the MS TechNet site also, I will let you know if I hear anything else.

Thanks

RW

Link to comment
Share on other sites

Hi Steven,

Thanks for your time in this.

I'm using XP Pro here, with Oulook 2002. Yes - this is the spam Deputy plugin version 1.0.7.33. I only downloaded this last week so I believe it's their most up to date one. (www.spamdeputy.com)

I have the headers here of two submissions:

1) Unsuccessfully Parsed

Return-Path: <Raymond.Wolf[at]pokerstars.com>

Received: from my.servername.com (root[at]localhost)

by mycompany.com (8.12.11/8.12.11) with ESMTP id j4PH10nm032272

for <x>; Wed, 25 May 2005 18:01:00 +0100

X-ClientAddr: 80.119.41.100

Received: from 100.41.119-80.rev.gaoland.net

(100.41.119-80.rev.gaoland.net [80.119.41.100])

by my.servername.com (8.12.11/8.12.11) with SMTP id

j4PH0Gn1030657

for <x>; Wed, 25 May 2005 18:00:25 +0100

Received: from bolt-fe3.bolt.com (mail.bolt-fe3 [216.74.152.11])

by be3 (Cyrus v2.2.10) with LMTPA;

Wed, 25 May 2005 10:47:39 -0700

X-Sieve: CMU Sieve 2.2

Received: from kittymail.com (bay10-f23.bay10.kittymail.com

[203.86.166.62])

by postmark.fe3.postmark.com (8.12.11/8.12.11) with ESMTP id

j4BM34K2001238

for <x>; Wed, 25 May 2005 16:55:39 -0100

Received: from mail pickup service by 123mail.net with Microsoft

SMTPSVC;

Wed, 25 May 2005 12:50:39 -0500

Message-ID: <BAY1__________________________1100[at]phx.gbl>

Received: from 64.62.137.76 by by10fd.bay10.123mail.net with HTTP;

Wed, 25 May 2005 20:53:39 +0300

X-Originating-IP: [64.62.137.76]

X-Originating-Email: [TimothyHoward[at]123mail.net]

X-Sender: TimothyHoward[at]123mail.net

From: "Timothy" <TimothyHoward[at]123mail.net>

To: x

Subject: Response Needed Soon

Date: Wed, 25 May 2005 19:49:39 +0200

X-OriginalArrivalTime: Wed, 25 May 2005 14:48:39 -0300 (UTC)

FILETIME=[8254B350:01C55675]

X-mycompany-MailScanner-Information: Please contact the ISP for more

information

X-mycompany-MailScanner: Found to be clean

Status:

X-Antivirus: AVG for E-mail 7.0.322 [266.11.16]

Mime-Version: 1.0

Content-Type: text/plain; format=flowed

Client Update:

Several Companies have been competing for your mortgage refinance

application over the past 2 weeks.

The company that offered the lowest rate, and largest

loan quantity has requested your information be verified.

[links removed by me]

2) Successfully Parsed

Return-Path: <smieusqsfvgcy[at]netscape.net>

Received: from my.servername.com (root[at]localhost)

by mycompany.com (8.12.11/8.12.11) with ESMTP id

j4Q1rgJD000396;

Thu, 26 May 2005 02:53:42 +0100

X-ClientAddr: 205.201.127.133

Received: from xx.xx.xx.xxx ([205.201.127.133])

by my.servername.com (8.12.11/8.12.11) with SMTP id

j4Q1rOFO000376;

Thu, 26 May 2005 02:53:31 +0100

Message-Id: <2005___________________0376[at]my.servername.com>

Received: from LDZQF-XC82 (205.201.127.133) by 205.201.127.133; Wed, 25

May 2005 20:48:53 -0600

From: "Deborah Rowell" <smieusqsfvgcy[at]netscape.net>

To: x

Subject: C$ALIS soft now forgery

Date: Wed, 25 May 2005 20:48:53 -0600

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1437

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437

X-e3internet-MailScanner-Information: Please contact the ISP for more

information

X-e3internet-MailScanner: Found to be clean

X-spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on

my.servername.com

X-spam-Level: ***

X-spam-Status: No, score=3.3 required=5.0 tests=BAYES_00,HTML_80_90,

HTML_IMAGE_ONLY_20,HTML_MESSAGE,MSGID_FROM_MTA_HEADER,

Now I look at them both together - I only see my server IP (xx.xx.xx.xxx) in the successfully parsed one.

Do you want me to post the tracking URL's here or PM them?

Thanks

Kino

Link to comment
Share on other sites

1) Unsuccessfully Parsed

Return-Path: <Raymond.Wolf[at]pokerstars.com>

Received: from my.servername.com (root[at]localhost)

        by mycompany.com (8.12.11/8.12.11) with ESMTP id j4PH10nm032272

        for <x>; Wed, 25 May 2005 18:01:00 +0100

2) Successfully Parsed

Return-Path: <smieusqsfvgcy[at]netscape.net>

Received: from my.servername.com (root[at]localhost)

        by mycompany.com (8.12.11/8.12.11) with ESMTP id

j4Q1rgJD000396;

        Thu, 26 May 2005 02:53:42 +0100

Do you want me to post the tracking URL's here or PM them?

28580[/snapback]

Tracking URL's should be all you need to post here as we can get the full message (munged) from there and see exactly what was submitted. For instance, if the blank line presented above were actually in the submission, that would be one reason for a failure.

My first question is why are these two headers, which appear to be from the same server, formatted differently? In other words, one has the "for <x>;" part and the other doesn't. All the servers I deal with will either always put that line in or will never put the line in so are we dealing with 2 different servers named "my.servername.com"?

Link to comment
Share on other sites

Nope, same server. It's odd.

http://www.spamcop.net/sc?id=z767815689z8e...76bc3db7263c7az

http://www.spamcop.net/sc?id=z767817326z3e...c7ce39b2349c49z

All I could think of is that some of the mail is coming into the one account from redirects (within the same domain). That blank line is there though so you seem to have explained the parse failure. Now to work out why it's there ;)

Link to comment
Share on other sites

Nope, same server. It's odd.

http://www.spamcop.net/sc?id=z767815689z8e...76bc3db7263c7az

http://www.spamcop.net/sc?id=z767817326z3e...c7ce39b2349c49z

All I could think of is that some of the mail is coming into the one account from redirects (within the same domain). That blank line is there though so you seem to have explained the parse failure. Now to work out why it's there ;)

28587[/snapback]

OK, but even the "working" one has problems...

If you view the message source, there are wrapping problems (any continuation line needs to start with whitepace), another blank line in the X-spam-Status: line and there is no closing boundry on the boundry.

Here is an example of the headers when forwarded from spamcop webmail:

http://www.spamcop.net/sc?id=z767916515z45...873df977966471z

FYI: The text shown at the top of the parse (before the View entire message link) are what the parser is finding for headers. The rest of the message is considered the body of the message.

Link to comment
Share on other sites

Sorry I seem to have deleted this post - way too hectic today. Basically I was writing that I would go off and try some of the other automated reporting tools mentioned here:

http://www.spamcop.net/fom-serve/cache/122.html

And the macro for Outlook discussed here:

http://forum.spamcop.net/forums/index.php?...st=0entry5797

Update:

Sorry nothing positive to report here

The automated macro throws exactly the same error (takes that line out).

olspam throws an error: Outlook spam Report Utility: [Collaboration Data Objects - [MAPI_E_NOT_FOUND(8004010f00]]

spam Source doesn't even load. http://www.daesoft.com/SpamSource/index.htm -I have tried their fix mentioned for this problem in Outlook 2003 but this isn't the case for 2002.

So looks like the automated options either need some programming work or my copy of Outlook is playing up.

I'm getting a new copy of Office in a month, I'll come back and try again then. Sorry if this sounds lazy but I really need an automated solution here. I can handle the link clicking for spam approval but not the manual copy + pasting submission.

Thanks

Link to comment
Share on other sites

  • 3 weeks later...

Hi I'm also having problems with reporting at Spamcop.net responding to all my submissions with No source IP address found, cannot proceed.

However if I use the link www.spamcop.com instead, the headers are parsed and I can send emails directly to the alleged abuse sites. I wonder why the difference?

A typical emails that fails with www.spancop.net is

Return-Path: <fishbourne_s[at]bonbon.net>

Received: from spool-host3.tpgi.com.au ([unix socket])

by spool-host3.tpgi.com.au (Cyrus v2.1.16-TPG) with LMTP; Mon, 13 Jun 2005 20:41:12 +1000

Received: from AMarseille-251-1-72-138.w83-205.abo.wanadoo.fr (AMarseille-251-1-72-138.w83-205.abo.wanadoo.fr [83.205.194.138])

by mail.tpg.com.au (8.12.10/8.12.10) with ESMTP id j5DAeTo1025699;

Mon, 13 Jun 2005 20:41:11 +1000

Message-Id: <200506131041.j5DAeTo1025699[at]mail.tpg.com.au>

Received: from bonbon.net (mx3.bonbon.net [38.113.3.75])

by AMarseille-251-1-72-138.w83-205.abo.wanadoo.fr (Postfix) with ESMTP id Z0C4P5R693

for <cgilford[at]tpg.com.au>; Mon, 13 Jun 2005 07:41:48 +0000

From: "Barbara" <fishbourne_s[at]bonbon.net>

To: <cgilford[at]tpg.com.au>

Subject: look through the letter - FAMILY NIGHTMARE

Date: Mon, 13 Jun 2005 07:41:48 +0000

MIME-Version: 1.0

X-Mailer: Microsoft Office Outlook, Build 11.0.5510

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

Thread-Index: 2CvAecZRU4CIpuvfROa7mAHemu2A56hpyOn2

Content-Type: text/plain;

charset="Windows-1252"

Content-Transfer-Encoding: 7bit

X-TPG-Antivirus: Passed

Does anyone understand why the standard Spamcop site has a problem.

Link to comment
Share on other sites

What is displayed between "Parsing header:" and "No source IP address found, cannot proceed."?

What is the Tracking URL for your attempt? I copied what you pasted and generated my own Tracking URL http://www.spamcop.net/sc?id=z774451331z9c...d763b158f1d20cz, which appears to parse fine, willing to report to "best contacts postmaster<at>wanadoo.fr abuse<at>wanadoo.fr" (except that "postmaster[at]wanadoo.fr bounces (205 sent : 103 bounces").

By "the standard Spamcop site", do you mean http://spamcop.net/?

Please see "Header incomplete, aborting." and "No source IP address found, cannot proceed." per Original SpamCop FAQ & Added Forum Items.

It is also possible that you have Mailhosts configured for one site and not the other.

Thanks!

Link to comment
Share on other sites

Thanks Jeff G! In answer tyo your question, I turned technical details on which certainly helped explain a lot, but not all. I got:

------------------------

Parsing header:

0: Received: from AMarseille-251-1-72-138.w83-205.abo.wanadoo.fr (AMarseille-251-1-72-138.w83-205.abo.wanadoo.fr [83.205.194.138]) by mail.tpg.com.au (8.12.10/8.12.10) with ESMTP id j5DAeTo1025699; Mon, 13 Jun 2005 20:41:11 +1000

No unique hostname found for source: 83.205.194.138

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

Add/edit your mailhost configuration

Finding full email headers

Submitting spam via email (may work better)

Example: What spam headers should look like

Nothing to do.

----------------------------

It seems the header including the source in the oldest header line is forged and this type of email cannot be reported. If the originating IP is forged, it means there is nothing one can do at all to report such emails to their origins.

The tracking URL is

http://www.spamcop.net/sc?id=z774757519zfe...75e0b4c64cf44bz.

and yes, I am using //spamcop.net

Despite the above, I'm interested to find out why you successfully got it to generate a report and I didn't. Any ideas? Maybe it is the mailhosts. On this issue I'm not quite sure what to do. Cheers Chris

Link to comment
Share on other sites

Hi Jeff G

I re-entered the mail hosts under the new experimental system and now the reports are there!! Thanks for your help. By the way, can e-mail headers be forged to the point where they are impossible to trace or is there always a means of decyphering the real source?

Chris G

Link to comment
Share on other sites

I'm glad you got it working. Thanks for the update. IIUC, Julian is constantly working to thwart spammers' forgeries and other efforts at avoiding detection.

Link to comment
Share on other sites

By the way, can e-mail headers be forged to the point where they are impossible to trace or is there always a means of decyphering the real source?

29257[/snapback]

That answer depends on where the spam in inserted into the stream and how it got there. Basically, it comes down to which machines to trust that their headers are correct in order to step back another level.

If the message came through an open relay of some kind, that will usually be as far back as you can trace it.

If the message was inserted on your local network, there may be no way to trace at all.

The last header should always be placed there by your ISP and is assumed to be trusted. For the same account, that line should always be the same format as well. Beyond that, it depends on where your ISP got the message.

The best way I've found to see what good headers should look like is to send yourself an email message from another account (or have a friend do it) and parse those headers manually and using spamcop. DO NOT REPORT THIS MESSAGE.

Link to comment
Share on other sites

Hi I'm also having problems with reporting at Spamcop.net responding to all my submissions with No source IP address found, cannot proceed.

However if I use the link www.spamcop.com instead, the headers are parsed and I can send emails directly to the alleged abuse sites. I wonder why the difference?

Does anyone understand why the standard Spamcop site has a problem.

29187[/snapback]

There is no "connection" between the original SpamCop.NET and the various items that keep popping up on the sites spamcop.com and spamcop.org .....

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...